b'Audit Report\n\n\n\n\nOIG-06-021\nManagement Letter For Fiscal Year 2005 Audit of the\nDepartment of the Treasury\xe2\x80\x99s Financial Statements\n\n\nJanuary 3, 2006\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR SANDRA L. PACK\n                           ASSISTANT SECRETARY FOR MANAGEMENT AND CHIEF\n                           FINANCIAL OFFICER\n\n            FROM:                 William H. Pugh,\n                                  Deputy Assistant Inspector General\n                                   for Financial Management and Information\n                                   Technology Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2005 Audit of the\n                                  Department of the Treasury\xe2\x80\x99s Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Department of the Treasury\xe2\x80\x99s (Department) Fiscal Year (FY) 2005\n            financial statements. We contracted with the independent certified public\n            accounting firm KPMG LLP to audit the Department\xe2\x80\x99s financial statements for\n            FY 2005. The contract required that the audit be performed in accordance with\n            generally accepted government auditing standards; Office of Management and\n            Budget Bulletin No. 01-02, Audit Requirements for Federal Financial Statements,\n            and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control over\n            financial reporting and its operations that were identified during the audit which\n            were not required to be included in the audit report.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\x0cPage 2\n\n\nShould you have any questions, please contact me at (202) 927-5400, or a\nmember of your staff may contact Mike Fitzgerald, Director, Financial Audits at\n(202) 927-5789.\n\nAttachment\n\ncc:   Harold Damelin\n      Inspector General\n\n      Marla A. Freedman\n      Assistant Inspector General For Audit\n\x0cDEPARTMENT OF THE TREASURY\n      FISCAL YEAR 2005\n\n    Management Letter Report\n\n       November 11, 2005\n\x0c                                DEPARTMENT OF THE TREASURY\n                                      FISCAL YEAR 2005\n                                       Management Letter Report\n\n\n                                           Table of Contents\n\n\n\n                                                                                            Page\n\nTransmittal Letter                                                                            1\n\nFiscal Year 2005 Recommendations:\n\n      05-01:   Succession Planning Must be Implemented Immediately                            3\n      05-02:   Financial Reporting Standards for Department Component Entities Should be\n               Consistent (Repeat Comment)                                                    5\n      05-03:   The Exchange Stabilization Fund\xe2\x80\x99s (ESF) Budgetary Accounting Methodology\n               Should be Clarified (Repeat Comment)                                           7\n      05-04: Annual Reconciliation Procedures to the President\xe2\x80\x99s Budget Should be\n             Improved                                                                        10\n      05-05:   A Formal Process is Needed to Monitor the Use of Sensitive System Software\n               Utilities                                                                     13\n      05-06:   Access Controls over the Treasury Information Executive Repository (TIER)\n               System Should be Strengthened                                                 14\n      05-07:   Configuration Management Processes Over CFO Vision Needs Improvement          17\n      05-08:   CFO Vision Access Controls Should be Strengthened                             19\n      05-09:   Financial Analysis and Reporting System (FARS) Access Controls Should be\n               Strengthened                                                                  21\n      05-10:   Backup Tapes for the Treasury Information Executive Repository (TIER)\n               System and CFO Vision Production Servers Should be Protected                  22\n      05-11:   Formal Continuity of Operations Plan and Disaster Recovery Procedures for\n               TIER and CFO Vision Should be Established                                     23\n\nExhibit 1 \xe2\x80\x93 Status of Prior Year Management Letter Comments                                  24\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nInspector General\nU.S. Department of the Treasury:\n\nWe have audited the consolidated financial statements of the U.S. Department of the Treasury\n(Department) as of and for the year ended September 30, 2005, and we have issued our report thereon\ndated November 11, 2005. Our report indicated that we did not audit the amounts included in the\nconsolidated financial statements related to the Internal Revenue Service (IRS), a component entity of the\nDepartment, or the gold and silver reserves of the U.S. Government. In planning and performing our audit\nof the consolidated financial statements, we considered the Department\xe2\x80\x99s internal control over financial\nreporting in order to determine our auditing procedures for the purpose of expressing an opinion on the\nconsolidated financial statements, and not to provide assurance on internal control over financial reporting.\n\nDuring our FY 2005 audit of the Department\xe2\x80\x99s consolidated financial statements, we and the other auditors\nnoted certain matters involving internal control over financial reporting and its operations that we\nconsidered to be reportable conditions under standards established by the American Institute of Certified\nPublic Accountants. Reportable conditions are matters coming to our attention relating to significant\ndeficiencies in the design or operation of internal control that, in our judgment, could adversely affect the\nDepartment\xe2\x80\x99s ability to record, process, summarize, and report financial data consistent with the assertions\nof management in the consolidated financial statements. Our consideration of internal control over\nfinancial reporting would not necessarily disclose all matters in internal control that might be reportable\nconditions. In our Independent Auditors\xe2\x80\x99 Report dated November 11, 2005, we reported the following\nmatters involving internal control over financial reporting and its operation that we and the other auditors\nconsidered to be reportable conditions:\n\n\xe2\x80\xa2   Financial Management and Reporting at the IRS Needs Improvement (Repeat Condition)\n\xe2\x80\xa2   Electronic Data Processing (EDP) Controls and Information Security Programs Over Financial Systems\n    Should Be Strengthened (Repeat Condition).\n\nThe reportable condition related to the financial management and reporting at the IRS noted above is\nconsidered to be a material weakness. Detailed findings and recommendations to address the above\nreportable conditions are not repeated within this document.\n\nOur audit procedures were designed primarily to enable us to form an opinion, based on our audit and the\nreports of the other auditors, on the Department\xe2\x80\x99s consolidated financial statements and, therefore, may not\nbring to light all weaknesses in policies or procedures that exist. However, we take this opportunity to\nshare our knowledge of the Department, gained during our work, to make comments and suggestions that\nwe hope can be useful to you.\n\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0cAlthough not considered reportable conditions, we noted certain matters involving internal control and\nother operational matters that are presented in the attachment for your consideration. These comments and\nrecommendations, all of which have been discussed with the appropriate members of the Department\nmanagement, are intended to improve the Department\xe2\x80\x99s internal control or result in other operating\nefficiencies. The matters presented in this letter do not include any internal control or operational matters\nthat may have been presented to the management of the Department\xe2\x80\x99s operating bureaus that were\nseparately audited by other auditors.\n\nWe reviewed all seven of the prior year financial statement audit findings and determined the status of each\ncorrective action. Of the seven findings:\n\n\xe2\x80\xa2   Five were corrected; and\n\xe2\x80\xa2   Two were not corrected.\n\nExhibit 1 provides the status of the seven recommendations included in our management letter arising from\nthe FY 2004 audit. We have not considered the Department\xe2\x80\x99s internal control since the date of our report.\n\nWe appreciate the courteous and professional assistance that Department personnel extended to us during\nour audit. We would be pleased to discuss these comments and recommendations with you at any time.\n\nThis report is intended solely for the information and use of the U.S. Department of the Treasury and its\nOffice of Inspector General and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nNovember 11, 2005\n\n\n\n\n                                                         2\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                              November 11, 2005\n\n\n\nI. FISCAL YEAR 2005 RECOMMENDATIONS\n\n05-01: Succession Planning Must be Implemented Immediately.\n\nDuring the course of our audit, we noted that several key personnel having significant institutional knowledge of\nthe Department\xe2\x80\x99s accounting and reporting processes within various Departmental Offices are at or near\nretirement eligibility status. Furthermore, we noted no policies or procedures related to succession planning, or\nstaff being trained to succeed these individuals. Details related to some of the Departmental offices we observed\nas needing immediate succession planning actions follow.\n\nThe Office of Accounting and Internal Control (AIC) is responsible for Treasury-wide financial accounting and\nreporting matters, such as preparation of the financial statements and notes for the Department, and provides\nfinancial policy guidance to the bureaus and offices of the Department. AIC deals directly in broad matters of\ndomestic and international finance, financial markets, Federal, (including the Federal debt), Federal Government\ncredit policies, and lending and privatization. AIC\xe2\x80\x99s experienced senior staff are critical to carrying out its\nfinancial management mission. These individuals, with whom we customarily deal with during the audit, have\nsignificant institutional knowledge and will soon be eligible for retirement.\n\nThe Office of Performance Budgeting (OPB) is responsible for the Department\xe2\x80\x99s budget execution, and financial\nmanagement of the Department\xe2\x80\x99s International Assistance program, among other duties. OPB is a small office\nwith employees with budget formulation and execution responsibilities. Two key officials with significant\ninstitutional knowledge and skills, whom we customarily deal with to resolve Treasury budgetary related matters,\nare also eligible for immediate retirement.\n\nWe are not aware of and did not observe any staff being trained to perform the duties under the supervision of\neither AIC or OPB senior staff, nor are we aware of any plans by the Department to provide additional staff to\nperform the duties as part of succession planning. Succession planning is a government-wide issue that the\nGovernment Accountability Office (GAO) has identified as requiring attention by top government officials. In\naddition to the lack of trained staff to take over such positions, AIC and OPB do not have standard operating\nprocedures that would help new staff understand how to perform their duties should the need arise.\n\nIn conclusion, we have significant concerns that the amount of resources (training, tools, staff) available to\nimplement successful succession planning is lacking. Department support for succession planning and actions to\nprepare for the future are needed now, given the long lead times needed to ensure the knowledge and skills of\nkey staff are transferred effectively. We acknowledge that at a time of budget constraints and deadlines that\nDepartmental offices must meet, it is difficult to request additional staff or to train other staff to assume\nadditional responsibilities. However, the day-to-day constraints should not be allowed to deter the Department\nfrom the advance planning and preparation needed to ensure that its offices will be able to perform their\nresponsibilities effectively in the absence of key senior staff members.\n\n\n\n\n                                                    3                                                (Continued)\n\x0c                                        DEPARTMENT OF THE TREASURY\n                                              FISCAL YEAR 2005\n                                                Management Letter Report\n                                                    November 11, 2005\n\n\n\nThe Office of Personnel Management (OPM) issues regulations related to personnel management for the Federal\ngovernment. GAO has issued several reports citing the need for succession planning by the government in order\nto address workforce challenges. In its April 21, 2005 testimony 1 before the Senate Subcommittee on Oversight\nof Government Management, the Federal Workforce, and the District of Columbia, GAO stated:\n\n         \xe2\x80\x9cA key piece of an agency\xe2\x80\x99s strategic human capital plan should also acknowledge the\n         demographic trends that the agency faces with its workforce, especially pending retirements, and\n         include succession strategies and training and development programs to ensure that it will have\n         the knowledge, skills, and abilities it needs to meet its mission\xe2\x80\xa6.\n         Training and developing new and current staff to fill new roles and work in different ways will\n         transform how agencies do business and engage employees in further innovation and\n         improvements.\xe2\x80\x9d\n\nAIC and OPB have not been able to hire additional staff, nor have they been able to train other Treasury staff to\nassume their responsibilities, due in part to budget constraints. Treasury officials stated that they have requested\nand received approval for additional positions but were unable to fill them due to a hiring freeze.\n\nIn the event of the retirement or sudden prolonged absence of one or more of these individuals, Treasury would\nface a serious loss of operational and institutional knowledge absent any adequate, formalized succession plan,\nresulting in serious financial management deficiencies.\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Management and Chief Financial Officer (CFO), and Deputy\nAssistant Secretary for Human Resources and Chief Human Capital Officer, with input from the Directors, AIC\nand OPB, as well as other offices, as appropriate:\n\n1.       Immediately begin the strategic human capital planning necessary to ensure that the offices will have the\n         knowledge, skills, and abilities it needs to meet its mission.\n2.       As part of its planning effort, consider what actions can be taken now without additional staff, to ensure\n         that if a key staff member is unexpectedly unavailable to perform his/her duties, that the offices\xe2\x80\x99 mission\n         will be met with minimal disruption.\n\nManagement Response\n\nThe Department will continue its efforts in filling current vacancies and bringing staffing to a reasonable level to\naccomplish its critical missions. However, budget constraints for fiscal years 2006 and 2007 may significantly\nlimit the resources available for additional staffing in a number of critical functions. The Department will\nconsider alternatives to prepare and implement succession planning such as: identifying and documenting\nstandard operating procedures for critical functions; providing opportunities in cross-training current staff in a\nnumber of critical functions; and considering details from the bureaus for rotational assignments.\n\n\n1\n    U.S. Government Accountability Office, Human Capital: Agencies Need Leadership and the Supporting Infrastructure to Take\n    Advantage of New Flexibilities, GAO-05-616T, April 21, 2005.\n\n                                                             4                                                 (Continued)\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           FISCAL YEAR 2005\n                                             Management Letter Report\n                                                 November 11, 2005\n\n\n\n05-02: Financial Reporting Standards for Department Component Entities Should be Consistent.\n       (Repeat Comment)\n\nThe Department\xe2\x80\x99s consolidated financial statements are prepared in conformity with accounting principles\nprescribed by the Federal Accounting Standards Advisory Board (FASAB), the accounting standards-setting\nbody for the Federal Government, as recognized by the American Institute of Certified Public Accountants in\nOctober 1999. However, certain Department component entities prepare their financial statements in accordance\nwith accounting standards prescribed by the Financial Accounting Standards Board (FASB), the private sector\nstandards-setting body, since the FASAB has allowed entities that issued financial statements prior to October\n1999 using FASB accounting to do so. These entities include the Bureau of Engraving and Printing (BEP), the\nOffice of Thrift Supervision (OTS), the Exchange Stabilization Fund (ESF), the Federal Financing Bank (FFB),\nand the Community Development Financial Institutions Fund (CDFI).\n\nThe use of a combination of generally accepted accounting principles (GAAP) by the Department and its\ncomponent entities complicates the preparation of the Department\xe2\x80\x99s consolidated financial statements since\nadditional information required for Federal GAAP reporting must be developed, mapped, and submitted to the\nDepartment\xe2\x80\x99s data warehouse by component entities, and reviewed for compliance with Federal GAAP and\noverall reasonableness by Department accounting management. In addition, the separately issued financial\nstatements of the component entities using FASB accounting principles do not adequately portray the importance\nof the budgetary process as it relates to federal entities. That is the concept of \xe2\x80\x9cpresents fairly\xe2\x80\x9d for those entities\nis incomplete as it relates to the significant budgetary disclosures required by Federal GAAP.\n\nPrivate sector GAAP does not contemplate budgetary reporting and, therefore, components using this basis of\naccounting do not prepare statements of budgetary resources or statements of financing, although these\nstatements are an integral part of the Department\xe2\x80\x99s consolidated financial statements, and must be prepared\nregardless of whether the component receives appropriations from the U.S. Government or not. Moreover,\ninformation reported in the Department\xe2\x80\x99s Statement of Budgetary Resources (SBR) must be reconciled to\nenacted amounts in the President\xe2\x80\x99s Budget and disclosed in the notes to the Department\xe2\x80\x99s consolidated financial\nstatements. Considerable additional preparation and audit steps are required to develop and report this data at the\nDepartment level for components using private sector GAAP.\n\nAdditionally, private sector GAAP does not provide sufficient information regarding the costs of programs and\nactivities. The statement of net cost required by Federal GAAP requires that costs and offsetting earned revenues\nbe presented by responsibility segments, with net costs identified for each of the segments, in order to provide\nmore meaningful information to evaluate the operating results of major activities.\n\nFurther, inconsistencies exist in how certain costs are reported by entities using private sector GAAP. For\nexample, Federal GAAP requires that non-reimbursed costs paid by the Office of Personnel Management for\nretirement plans be recognized by the receiving entity as an imputed cost in order to report the full cost of\noperations. Since private sector GAAP does not provide guidance for the reporting of such imputed costs, these\ncosts are being reported inconsistently, or not at all, by the Department\xe2\x80\x99s component entities.\n\n\n\n\n                                                          5                                               (Continued)\n\x0c                                    DEPARTMENT OF THE TREASURY\n                                          FISCAL YEAR 2005\n                                            Management Letter Report\n                                               November 11, 2005\n\n\n\nFinally, private sector GAAP does not require management\xe2\x80\x99s discussion and analysis (MD&A) of the\ninformation presented in the annual report. The MD&A is one of the most valuable aspects of an annual\nfinancial report, since it provides management\xe2\x80\x99s assessments of key trends, fluctuations, and unusual items. It\nshould also link financial and performance information to provide meaningful analysis of the cost-benefit\nrelationships of program accomplishments. Several of the Department\xe2\x80\x99s component entities using private sector\nGAAP do not present MD&A in their annual reports.\n\nThe continued use of private sector GAAP by certain Department component entities decreases the usefulness of\ninformation reported by these entities for users of federal financial statements. In order to strengthen and\nstandardize financial accounting and reporting throughout the Department, all component entities should be\nrequired to prepare their financial statements in accordance with Federal GAAP, unless statutorily required to\nreport on a different basis of accounting.\n\nRecommendations\nWe recommend that the Department research and determine whether component reporting entities reporting on a\nbasis other than Federal GAAP are required to do so by statute. We further recommend that:\n\n1.    All reporting entities within the Department prepare their financial statements in accordance with Federal\n      GAAP, unless statutorily required to report in accordance with a different basis of accounting, and\n\n2.    Entities that are statutorily required to report on a basis of accounting other than Federal GAAP provide\n      supplemental information in their annual reports to include a section on MD&A in order to meet the\n      reporting requirements of Federal GAAP.\n\nManagement Response\n\nThe Department requires that all bureaus/reporting entities comply with the United States Standard General\nLedger (USSGL), which is used for Federal sector GAAP. The USSGL balances transmitted by the bureaus to\nthe Department\xe2\x80\x99s centralized database are appropriately mapped to reflect transactions on a Federal GAAP basis\nin the Department\xe2\x80\x99s consolidated financial statements. No errors resulting from conversion from private sector\nGAAP to Federal GAAP were noted in the Department\xe2\x80\x99s FY 2005 and FY 2004 consolidated financial\nstatements.\n\nIn April 2004, the OIG requested that FASAB consider requiring Federal GAAP for the general purpose\nfinancial statements of Federal entities, unless there is a statutory or regulatory requirement to report on a\ndifferent basis. FASAB has included this issue as one of the four potential projects identified in the Invitation to\nComment \xe2\x80\x93 Technical Agenda Options document dated July 22, 2005. Treasury and the OIG provided comments\nto FASAB, and ranked the Appropriate Source for GAAP project as the second highest priority project next to\nthe Federal Entity project.\n\nThe Department again in FY 2005 approached those bureaus/reporting entities that are required by statute to\nproduce their stand-alone financial statements to do so on a Federal sector GAAP basis. The U.S. Mint has\nagreed to prepare its FY 2006 financial statements on a Federal sector GAAP basis, and is currently revising its\nFY 2005 statements to reflect Federal GAAP. Treasury will work with the FASAB and the OIG in addressing\nthis issue, and will continue working with the affected bureaus in FY 2006 to achieve greater conformance.\n\n                                                        6                                              (Continued)\n\x0c                                       DEPARTMENT OF THE TREASURY\n                                             FISCAL YEAR 2005\n                                              Management Letter Report\n                                                  November 11, 2005\n\n\n\n05-03: The Exchange Stabilization Fund\xe2\x80\x99s (ESF) Budgetary Accounting Methodology Should be Clarified.\n       (Repeat Comment)\n\nThe Exchange Stabilization Fund maintains a transaction-based accounting system for the federal proprietary\nStandard General Ledger (SGL) accounts, but does not have a transaction-based budgetary accounting system.\nSome of the ESF budgetary data reported in the Treasury Information Executive Repository (TIER), the\nDepartment\xe2\x80\x99s repository accounting system, is misclassified or inaccurate, but has been left in TIER to force a fit\nwith budgetary accounting definitions. For example, undelivered orders, SGL account 4801, has been reported in\nESF\xe2\x80\x99s Trial Balance in TIER as $14.1 billion since 2000. However, the ESF does not report any undelivered\norders in its Statement of Budgetary Resources (SBR) nor does it have any transactions that meet Office of\nManagement and Budget (OMB) definition of undelivered orders. As a result, ESF\xe2\x80\x99s SBR is prepared manually\noutside of TIER, and outside of CFO Vision, the Department\xe2\x80\x99s financial reporting system that converts TIER\ndata into its financial statements.\n\nAnother SGL account that is reported inaccurately is Fund Balance with Treasury (FBWT) (SGL account 1010).\nESF does not use this account nor is it included in its stand-alone financial statements. However, in order to pass\nthe Department\xe2\x80\x99s Financial Management Service\xe2\x80\x99s (FMS) FACTS II edit checks, ESF must reclassify amounts\nfrom its asset accounts to SGL 1010. In FY 2005 and 2004, ESF reported approximately $16.4 billion in FBWT\ninto FACTS. The amounts misclassified in FACTS II then are misclassified in the government-wide financial\nstatements.\n\nESF\xe2\x80\x99s reporting to OMB for purposes of the President\xe2\x80\x99s Budget is also inconsistent with ESF\xe2\x80\x99s audited financial\nreporting data and requires reconciliation each year. The President\xe2\x80\x99s Budget includes actual obligations and\noutlays inconsistent with the audited ESF SBR for the reporting year. For example, outlays reported in the\nPresident\xe2\x80\x99s Budget do not contain valuation gains and losses on foreign currency, whereas the Department-\nprepared SBR for ESF includes such amounts in outlays.\n\nIn response to our prior year recommendation to request a waiver from OMB from the requirement to provide\nStatements of Budgetary Resources and Financing for ESF, AIC prepared a draft waiver request which was\nsubmitted to OMB and FMS. However, no waivers were granted for fiscal year 2005 and AIC is still in the\nprocess of communicating with OMB and FMS on this matter.\n\nOMB Circular No. A-11, Part IV, requires non-appropriated funds, such as the ESF, (as well as appropriated\nfunds) to be included in an agency\xe2\x80\x99s combined SBR. It also requires the SBR to be based on budget terminology,\ndefinitions, and guidance. In addition, OMB Circular No. A-127, Section 7a, requires federal financial\nmanagement systems to \xe2\x80\x9c\xe2\x80\xa6ensure consistent information is collected for similar transactions throughout the\nagency, \xe2\x80\xa6and ensure consistent information is readily available and provided to internal managers at all levels\nwithin the organization.\xe2\x80\x9d Section 7c states further, \xe2\x80\x9cReports produced by the systems that provide financial\ninformation, whether used internally or externally, shall provide financial data that can be traced directly to the\nSGL accounts.\xe2\x80\x9d In addition, GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government 1 states:\n\n\n\n1\n    U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1,\n    November, 1999.\n\n                                                           7                                               (Continued)\n\x0c                                  DEPARTMENT OF THE TREASURY\n                                        FISCAL YEAR 2005\n                                          Management Letter Report\n                                             November 11, 2005\n\n\n\n     \xe2\x80\x9cInternal control and all transactions and other significant events need to be clearly documented, and\n     the documentation should be readily available for examination. The documentation should appear in\n     management directives, administrative policies, or operating manuals and may be in paper or\n     electronic form.\xe2\x80\x9d\n\nThe Department has complied with OMB and other requirements by adopting unique budgetary applications for\nESF data, but has not requested OMB to review and agree with the Department\xe2\x80\x99s budgetary reporting\nadaptations that require major reconciliations with the President\xe2\x80\x99s Budget, with TIER, and with FMS FACTS II\nrequirements for the fund. While the Department requested FMS to resolve the requirement to report FBWT to\nmeet FACTS II edits as early as 2002, FMS has been unable to provide an automated solution to date. No\napproved model of budgetary transactions exists for ESF that would ensure consistent budgetary and proprietary\ndata is readily available that can be traced directly to the SGL accounts.\n\nAs a result, the Department\xe2\x80\x99s budgetary financial data for ESF submitted to FACTS II for government-wide\nreporting purposes is inconsistent with its SBR, Statement of Financing, TIER, and with the information\nprovided to OMB for the President\xe2\x80\x99s Budget. In addition, the lack of written, approved operating procedures for\nESF has resulted in inconsistencies from year to year in the methodolgy used in the translation of the ESF\npropietary accounts to budgetary accounts.\n\nRecommendations\n\nWe recommend the CFO:\n\n1.   Prepare written operating procedures with accompanying rationale as to why the proprietary accounts\n     chosen approximate budgetary definitions.\n2.   Request approval from OMB for the definitions the Department uses to translate ESF proprietary accounts\n     to budgetary line items to prepare Statements of Budgetary Resources and Financing, recognizing that\n     standard federal budgetary definitions do not apply to the ESF\xe2\x80\x99s investment portfolio fund.\n3.   Explore with OMB alternative ways of providing meaningful, accurate, and consistent data on ESF in the\n     President\xe2\x80\x99s Budget and how the information should be reported in the government-wide financial\n     statements.\n4.   Continue to work with FMS to resolve the requirement to report FBWT in order to pass FACTS II edits,\n     recognizing that ESF does not have FBWT balances.\n\nManagement Response\n\nThe Department submitted a draft letter in September 2005 requesting a waiver from the Office of Management\nand Budget from including the budgetary reporting for the Exchange Stabilization Fund in the Department\xe2\x80\x99s\nconsolidated financial statements, and the Financial Management Service and OMB budgetary reporting systems.\nIn addition, a draft request was sent to Treasury\xe2\x80\x99s Financial Management Service in September 2005 on waiving\nthe reporting of Fund Balance with Treasury (FBWT) for ESF investments.\n\nThe Department has tried to engage OMB and FMS on more than one occasion over the past ten years to help\nresolve the ESF budgetary reporting issue. However, more pressing events and workload issues prevented OMB\n\n                                                      8                                            (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                          Management Letter Report\n                                              November 11, 2005\n\n\n\nand the Department from fully addressing and resolving this issue. Treasury also worked with the Department\xe2\x80\x99s\nOffice of Inspector General in attempting to develop transaction posting models that allow for the production of\nESF\xe2\x80\x99s budgetary reporting.\n\nThe initial response received in October 2005 from FMS indicated that OMB and FMS will not grant a reporting\nwaiver for ESF\xe2\x80\x99s FBWT. FMS provided a recommendation for reporting the FBWT for FY 2005, and suggested\nworking with the Department on the unresolved issues in FY 2006. The Department will work with OMB and\nFMS to obtain specific guidance on providing more meaningful budgetary and FBWT reporting for ESF.\n\n\n\n\n                                                      9                                             (Continued)\n\x0c                                        DEPARTMENT OF THE TREASURY\n                                              FISCAL YEAR 2005\n                                               Management Letter Report\n                                                     November 11, 2005\n\n\n\n05-04: Annual Reconciliation Procedures to the President\xe2\x80\x99s Budget Should be Improved.\n\nThe Department\xe2\x80\x99s Office of Performance Budgeting (OPB) prepares the annual reconciliation of actual\nBudgetary Resources, Outlays, and Offsetting Receipts in the President\xe2\x80\x99s Budget (PB) to comparable\ninformation contained in the Department\xe2\x80\x99s Statement of Budgetary Resources for disclosure in the Department\xe2\x80\x99s\nconsolidated financial statements as required by Statement of Federal Financial Accounting Standards (SFFAS)\nNo. 7, Accounting for Revenue and Other Financing Sources. The PB reconciliation prepared for inclusion in the\ncurrent year with respect to fiscal year 2004 revealed the following:\n\n\xe2\x80\xa2        The initial documentation provided to support the reconciliation did not fully support the reconciling\n         amounts reported in the PB reconciliation.\n\xe2\x80\xa2        There were inconsistencies with respect to the classification of budgetary resources within the PB\n         reconciliation when compared to the prior year PB reconciling classifications.\n\nIn response to questions raised during the audit, OPB provided additional documentation, revised the PB\nreconciliation, and ultimately reduced its initial fiscal year 2004 unreconciled differences from $318 million,\n$206 million, and $96 million, in absolute values, for amounts reported in the Budgetary Resources, Outlays,\nand Offsetting Receipts categories, respectively, to $124 million as shown in the table below for fiscal year\n2004.\n\nThe final unreconciled differences reported in the PB reconciliation for this year in comparison with the previous\nyear\xe2\x80\x99s unreconciled differences (in millions) are:\n\n                                                    ($ in Millions)\n\n                                        % of Budgetary                                                     % of Offsetting\n    Fiscal Year   Budgetary Resources     Resources        Outlays    % of Outlays   Offsetting Receipts     Receipts\n\n       2004              $ 54                0.01          $ 69           0.02             $ 1                 0.05\n\n       2003                109               0.03            109          0.03               151              11.90\n\n\nThe total of the unreconciled differences for FY 2004 were $124 million in comparison with a total of $369\nmillion for FY 2003, a major reduction in unreconciled differences. Many improvements were made in the\ncurrent year with respect to the PB reconciliation details as well as the supporting documentation provided to\nsupport the PB reconciliation. However, further improvements can be made to the process of preparing the\nreconciliation and expediting its review.\n\nIf key Department officials are unavailable to perform the reconciliation, the preparation of the reconciliation\ncannot be easily picked up by new staff without detailed written guidance. Given the complexity of the\nreconciliation for the Department, a detailed procedural manual providing step-by-step guidance for performing\nthe reconciliation, as well as the documentation needed to be on hand for the annual audit, could help improve\nthe efficiency, consistency in methodology, and completeness of the reconciliation. During the audit, OPB began\nthe process of preparing an operating manual for the reconciliation; however, these policies and procedures have\n\n                                                              10                                              (Continued)\n\x0c                                       DEPARTMENT OF THE TREASURY\n                                             FISCAL YEAR 2005\n                                              Management Letter Report\n                                                  November 11, 2005\n\n\n\nnot yet been approved that describe the process OPB uses for the reconciliation, nor is there a complete list of\nDepartment funds identified for PB reconciliation purposes with a classification of those funds by budget\ncategory, together with an explanation of why such funds should be reported in a particular budget category.\n\nSFFAS No. 7, and the OMB Circular A-136, Financial Reporting Requirements, provide guidance for preparing\nthe note on Reconciliation of the SBR to the PB. SFFAS No. 7, Part II, Reconciliation Statement\xe2\x80\x94Budgetary and\nFinancial Accounting, Section 79, states:\n\n        \xe2\x80\x9cDisclosures are required if the information shown differs from that which is included in the \xe2\x80\x9cactual\xe2\x80\x9d\n        column of the President\xe2\x80\x99s Budget. For example, this disclosure would be needed in cases where the\n        reporting entity in the financial statements is different than the reporting entity in the Budget.\xe2\x80\x9d\n\nSection 1.7 of OMB Circular No. A-136, states:\n\n        \xe2\x80\x9cAgencies should discuss any material changes to budgetary information subsequent to the\n        publication of the audited Statement of Budgetary Resources (SBR) with their auditors to determine if\n        restatement or note disclosure is necessary. At a minimum, any material differences between\n        comparable information contained in the SBR and the actual information presented in the Budget of\n        the United States Government must be disclosed in the footnotes to the SBR.\xe2\x80\x9d\n\nSection 9.33 of OMB Circular A-136, further states that the related note should:\n\n        \xe2\x80\x9cIdentify and explain material differences between amounts reported in the SBR and the actual\n        amounts reported in the Budget of the United States Government as required by SFFAS No. 7\xe2\x80\xa6.\n        Differences, in and of themselves, may or may not indicate a reporting error. Legitimate reasons for\n        differences could exist. For example, expired unobligated balances are reported in the SBR and SF\n        133 but not in the Budget of the United States Government. This disclosure should be provided when\n        comparable line items differ between the President\xe2\x80\x99s Budget and the SBR.\xe2\x80\x9d\n\nIn addition, GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government 1 states:\n\n        \xe2\x80\x9cInternal control and all transactions and other significant events need to be clearly documented, and\n        the documentation should be readily available for examination. The documentation should appear in\n        management directives, administrative policies, or operating manuals and may be in paper or\n        electronic form.\xe2\x80\x9d\n\nThe Department relies on the knowledge and skills of key experienced staff to prepare the reconciliation each\nyear. However, because the reconciliation is performed only once a year, the lack of written procedures\ncontributed to initial misclassification of budgetary resources for reconciliation purposes. This led to additional\nefforts to obtain documentation and increased time spent on the reconciliation that an operating manual\ncontaining detailed policies and procedures might help to correct.\n\n\n\n1\n    U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1,\n    November, 1999.\n\n                                                           11                                              (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                          Management Letter Report\n                                              November 11, 2005\n\n\n\nRecommendations\n\nWe recommend that the CFO in coordination with the Director of OPB, and the Director of AIC prepare detailed\npolicies and operating procedures for the reconciliation of the Combined SBR to the President\xe2\x80\x99s Budget. As part\nof its procedures, OPB and AIC should classify amounts reported in the SBR and President\xe2\x80\x99s Budget by\nreconciling budgetary source to fund symbol along with a definition of each reconciling item and an explanation\nof what funds should be included in the line item. Policies and procedures developed should also include\nprocedures for review and approval by authorized officials.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Performance Budgeting (OPB) prepared operating procedures for the Statement of Budgetary\nResources/President\xe2\x80\x99s Budget reconciliation process in 2005. This procedure was shared with the consolidated\nfinancial statement auditors for their review. OPB has agreed with the auditors\xe2\x80\x99 recommendation to add a list of\nfund symbols with explanations on why they are reconciling items.\n\n\n\n\n                                                      12                                            (Continued)\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           FISCAL YEAR 2005\n                                            Management Letter Report\n                                                November 11, 2005\n\n\n\n05-05: A Formal Process is Needed to Monitor the Use of Sensitive System Software Utilities.\n\nThere is no formal process in place to monitor the use of sensitive system software utilities, such as those with\nthe capability to add, remove, or alter user accounts and privileges within the operating system.\n\nThe Federal Information Security Management Act (FISMA), issued as part of the E-Government Act of 2002,\nrequires Federal agencies to provide information security protections commensurate with the risk and magnitude\nof the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation collected or maintained by or on behalf of the agency. FISMA further requires Federal agencies to\nfollow information security guidance issued by the National Institute of Standards and Technology (NIST).\n\nOffice of Management and Budget (OMB) Circular A-123, Management Accountability and Control (OMB\nCircular A-123), requires that access to resources and records should be limited to authorized individuals; and\naccountability for the custody and use of resources should be assigned and maintained.\n\nOMB further states in OMB Circular A-130 Appendix III (Security of Federal Automated Information\nResources) (OMB Circular A-130), that access controls should provide reasonable assurance that computer\nresources such as data files, application programs, and computer-related facilities and equipment are protected\nagainst unauthorized modification, disclosure, and loss. Such controls include logical controls, such as security\nsoftware programs designed to prevent or detect unauthorized access to sensitive files. Ineffective access controls\nincrease the risk of unauthorized changes to the data that may affect the data\xe2\x80\x99s reliability and increases the risk of\ndestruction or inappropriate disclosure of the data.\n\nThe Department currently does not have an effective means to monitor the use of sensitive system software\nutilities. However, we have been informed that the Department is currently in the procurement phase for software\nutility that will allow for the logging and monitoring of sensitive system utility use.\n\nWithout a defined process, or a means to effectively and consistently monitor the use of system utilities,\nmanagement cannot reliably review the activities of users to look for inappropriate or unusual activity.\nAccordingly, this activity may go unnoticed and may not be investigated.\n\nRecommendations\n\nWe recommend that the Deputy Assistant Secretary Chief Information Officer (CIO) develop formal policies and\nprocedures, and enforce such policies for the monitoring of sensitive system software utilities.\n\nManagement Response\n\nTreasury Departmental Offices management, in partnership with the SEAT management contractor, has\nidentified software which will be able to monitor sensitive system software utilities. Note that this capability does\nnot exist in the MicroSoft Windows operating system itself. Treasury has directed the support contractor to\npurchase and implement this software to assist in the implementation and enforcement of monitoring sensitive\nsystem software utilities. DO plans to implement Quest\xe2\x80\x99s Intrust Log Management tool. It will send real time\nalerts when unusual activity is reported in system and network security, application, and system logs. The system\nwill also allow the Security group to review periodically all logs on a central console, where they can review the\nactivities of users to look for inappropriate or unusual activity.\n\n                                                         13                                              (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                          Management Letter Report\n                                              November 11, 2005\n\n\n\n05-06: Access Controls over the Treasury Information Executive Repository (TIER) System Should be\n       Strengthened.\n\nConfiguration management controls over TIER, do not prevent lead developers from gaining access to the\nproduction environment. The two lead developers have access to the three TREAS-TIER servers, development,\ntest, and production. Furthermore, they serve as the chief implementers of TIER changes. The lead developers\ncreate, test, and also load TIER changes onto the production server. Additionally, the lead developers perform\nsystem administrator duties.\n\nA segregation of duties violation exists for system changes made outside of the scheduled TIER quarterly\nreleases. We noted that system change requests (SCR) indicate that one individual performs several roles such as\nOwner, Submitter, Requester, Developer, Tester, and Reviewer of the SCR.\n\nThe SCR process deviates from aspects of the Department\xe2\x80\x99s Treasury Software Change Management (SCM)\nPlan. Specifically, the lead developers perform the Team Lead\xe2\x80\x99s roles and responsibilities over the SCR process.\nThis segregation of duties violation bypasses the Team Lead\xe2\x80\x99s necessary oversight as prescribed in the SCM.\n\nCRs are not completed for all change requests made outside of the scheduled TIER Quarterly Releases.\nFurthermore, a documented approval does not exist for emergency enhancements, bug fixes, and data fixes.\n\nAlso, test documentation is not available for changes implemented outside of the scheduled TIER quarterly\nreleases; specifically data fixes, bug fixes, and emergency enhancements. During our review, we noted that test\nresults were not always maintained.\n\nThe SCM describes the process for creating and managing change requests for Application Systems Support\nContract (ASSC) documents, templates, and processes. The Plan guides that requests are submitted verbally or\nthrough written documentation by the client to the Project Manager or Team Lead who then evaluates the\nrequests and enters it into Tracker. Other roles pertaining to the SCR process are summarized within the SCM\nPlan. Furthermore, the SCM Plan states that \xe2\x80\x9cSoftware control ensures that changes to computer programs are\ndeveloped and tested using valid copies of programs and test databases, and that such changes do not adversely\naffect system users. Software control procedures are particularly important for documenting and tracking\nmaintenance changes during the operation phase of the life cycle.\xe2\x80\x9d\n\nThe Department\xe2\x80\x99s ASSC SDLC Workflow and Processes Handbook states that \xe2\x80\x9cEmergency requests are approved\nby the Team Leaders; corrections are made, tested, and implemented; and finally the change request is completed\nand forwarded to the Team Leader for review.\xe2\x80\x9d Furthermore, \xe2\x80\x9cThe project Change Control Board consisting of\nthe Team Lead/Project Manager, Treasury Liaison and the Customer must approve every change or operational\nproblem request. Once approved, the request will be added to the Team Master Project schedule and tracked\naccordingly.\xe2\x80\x9d\n\nThe Department\xe2\x80\x99s TIER FY05 Project Plan states, \xe2\x80\x9cThe Database Administrators (DBA) will then execute the\nappropriate scripts loading the release onto the production server and advise the development team when\ncompleted.\xe2\x80\x9d OMB Circular A-130 states, \xe2\x80\x9cSeparation of duties is the practice of dividing the steps in a critical\nfunction among different individuals. For example, one system programmer can create a critical piece of\noperating system code, while another authorizes its implementation. Such a control keeps a single individual\nfrom subverting a critical process.\xe2\x80\x9d\n\n                                                      14                                            (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                               November 11, 2005\n\n\n\nOMB Circular A-130 further requires that proper life cycle development requires the complete documentation of\na system. \xe2\x80\x9cEach stage of the information life cycle carries with it records of management responsibilities.\nAgencies need to record their plans, carefully document the content and procedures of information collection,\nensure proper documentation as a feature of every information system, keep records of dissemination programs,\nand, finally, ensure that records of permanent value are preserved.\xe2\x80\x9d\n\nOMB Circular A-127, Financial Management Systems, states that \xe2\x80\x9call documentation associated with systems\nand software should be continually updated to provide sufficient detail to obtain a comprehensive knowledge of\nunderstanding of their operation.\xe2\x80\x9d Further, adequate documentation of program changes facilitates future testing\nof other modifications and allows a reconstruction, if necessary, to research a problem based on the actual tests\nand results.\n\nNIST\xe2\x80\x99s Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST SP\n800-14, Section 3.12), recommends that organizations base access control policy on the principle of least\nprivilege, which states that users should be granted access only to the resources they need to perform their\nofficial functions.\n\nThe Department\xe2\x80\x99s personnel indicated that lead developers also perform the system administrator roles due to\nlimited resources. In addition, due to limited resources and time constraints, the prescribed method for System\nChange Requests is not always followed. Further, the Department does not maintain documentation of approval\nfor all changes made outside of Quarterly Releases. Due to time constraints, approval is often received following\nthe implementation of a change. The Department\xe2\x80\x99s personnel explained that due to time constraints and limited\nresources, testing documentation is not consistently documented and maintained.\n\nExcessive system privileges, such as privileges related to sensitive system components like the production server,\nincrease the risk that the data is subject to unauthorized access, loss, or misuse. Furthermore, providing this\nprivilege to developers could allow them to circumvent the configuration management process and implement\ncode that has not been tested or approved by the appropriate parties.\n\nEffectiveness of testing could be skewed and biased if performed by the developer of the code change.\nAdditionally, flawed system software changes may be implemented into the production environment.\n\nLack of oversight of software configuration management as described in the SCM Plan increases the risk that\nerroneous or fraudulent changes to software could be processed and implemented, which could impact the\nintegrity of computer resources.\n\nA lack of documentation for each system change capturing detailed systems testing prepared by the programmer\nand reviewed by a programming supervisor may allow unauthorized and potentially inaccurate computer\nprogram changes to be implemented into the production environment.\n\nInadequate documentation of testing and results may inhibit future testing of other modifications and prevents\nreconstruction, if necessary, to research a problem based upon the actual tests and results. Additionally, without\ndocumentation of testing, evidence that testing in fact took place is not available for verification.\n\n\n\n\n                                                       15                                            (Continued)\n\x0c                                    DEPARTMENT OF THE TREASURY\n                                          FISCAL YEAR 2005\n                                            Management Letter Report\n                                               November 11, 2005\n\n\n\nRecommendations\n\nWe recommend that the CIO take steps to:\n\n1.    Ensure that the access privileges to migrate changes into the production environment are removed from the\n      development staff.\n2.    Segregate the duties of the lead developer of software changes thereby preventing developers of a\n      software change from testing their own work.\n3.    Ensure that the Department\xe2\x80\x99s management follows the Treasury SCM methodology and a higher degree of\n      management oversight occurs for the development and implementation of all changes over TREAS TIER.\n4.    Update the Treasury SCM Plan and ASSC SDLC Workflow and Processes Handbook to reflect the current\n      practices for opening an SCR.\n5.    Maintain test plans and test results for all changes implemented outside of the scheduled TIER quarterly\n      releases.\n\nManagement Response\n\nMany of the changes that occur outside of the scheduled releases are called \xe2\x80\x9cdata fixes\xe2\x80\x9d because currently, that is\nthe only choice left to enter an SCR in Tracker. In reality, these are changes to the reference infrastructure data,\nnot the user\xe2\x80\x99s data. The most common reference changes are built into the application, such as additions or\nchanges to SGLs or Fund Symbols. These are straightforward, and by definition do not change the application\ncode. No test plan is needed because the reviewer only has to view the appropriate reference table to see the\nchange has been made. For these cases, the recommendation to maintain test plans and results for such \xe2\x80\x9cdata\xe2\x80\x9d\nfixes is not considered necessary. The tester/reviewer or actual user requesting the change could easily verify that\nthe change was done correctly. In most cases, these changes are needed on a very short timeline. If the KPMG\nrecommendations were implemented as written, requested changes\xe2\x80\x94often time-critical especially at the end of\nthe fiscal year\xe2\x80\x94would be delayed to the extent that our service to users would not be timely.\n\n\n\n\n                                                        16                                             (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                              November 11, 2005\n\n\n\n05-07: Configuration Management Processes Over CFO Vision Needs Improvement.\n\nDuring our FY 2005 review of the configuration management process over CFO Vision, we noted the following\ncontrol weaknesses:\n\na.    Formal processes are not followed when making changes to CFO Vision reporting templates.\n\nb.    CFO Vision does not have a version manager tool for template changes made to the application.\n\nTreasury Information Technology Security Program Publication: IT Security Program Handbook for Sensitive\nSystems, states that \xe2\x80\x9cOrganizational Elements shall prepare configuration management plans for all IT systems\nand networks. Organizational Elements shall establish, implement, and enforce change management and\nconfiguration management controls on all IT systems and networks.\xe2\x80\x9d\n\nThe NIST Special Publication (SP) 800-64, Security Considerations in the Information System Development Life\nCycle, states that configuration management and configuration control procedures are critical to establishing an\ninitial baseline of hardware, software, and firmware components for the information system and subsequently\ncontrolling and maintaining an accurate inventory of any changes to the system.\n\nNIST SP 800-18, Guide for Developing Information Technology Security Plans, states \xe2\x80\x9cThere are many models\nfor the IT system life-cycle but most contain five basic phases: Initiation, development/acquisition,\nimplementation, operation, and disposal.\xe2\x80\x9d\n\nCFO Vision is primarily used as a reporting tool for TIER. The changes made within CFO Vision are not\nperformed on the actual source code but instead to the templates of the report. Any change performed only\nmodifies the look or organization of a report. A formal configuration management process is not documented\nbecause minor changes are performed on CFO Vision; therefore, the Department believes that a formal\nconfiguration management process or SDLC is not needed.\n\nCFO Vision administrators do not keep previous versions of the application stored locally due to a lack of space\nand because changes are only made to the templates and not to the source code. They believe that the minor\ntemplate changes performed on CFO Vision do not need to be readily available and tracked.\n\nWithout a proper System Development Life Cycle (SDLC) or configuration management process regarding the\nflow of changes from development to production, unauthorized and potentially inaccurate program changes may\nbe implemented into the production environment.\n\nAs a result, since there is no version manager tool in place for CFO Vision, once a change is made to the\napplication, the previous version of the application no longer exists locally. If there is a problem once changes\nhave been made in production, there is no way to immediately revert back to the previous version of the\ntemplates without having to restore from tape backups.\n\n\n\n\n                                                      17                                             (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                              November 11, 2005\n\n\n\nRecommendations\n\nWe recommend that the CIO:\n\n1.    Develop and implement a detailed SDLC or configuration management procedures for performing changes\n      over CFO Vision. These procedures should include a formal change request form, proper authorization of\n      the change prior to the initiation of the work, formal approval of the change prior to the initiation of the\n      work, and retention of all change request forms.\n\n2.    Implement a version manager mechanism in order to maintain previous versions of CFO Vision reports.\n\nManagement Response\n\nRecommendation #1: Treasury is implementing a new version of CFO Vision, a COTS product, during fiscal\nyear 2006. This version will be web-based and available to all Treasury bureaus through the Treasury Intranet.\nAs part of the implementation of this new version, the Department will update the configuration management\nprocess to formalize the process to include change requests, a review and approval process, and retention of\nsupporting documentation.\n\nRecommendation #2: As part of this new release, the systems development team will implement a version\nmanager mechanism to maintain versions of CFO Vision reports.\n\nWe anticipate implementing these changes after the new version is installed, stabilized, and rolled out to the\nbureaus.\n\n\n\n\n                                                      18                                             (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                              November 11, 2005\n\n\n\n05-08: CFO Vision Access Controls Should be Strengthened.\n\nNo policies or procedures are currently in place to periodically review CFO Vision user access lists to determine\nif access is still needed, including employees that have been terminated, or the same level of access is still\nrequired by the user. Additionally, a formal process has not been documented to ensure the timely notification to\napplication administrators when personnel transfers or terminations occur.\n\nThe Department\xe2\x80\x99s Information Technology Security Program TD P 85-01 Volume I, Policy Part 1, Sensitive\nSystems, states: \xe2\x80\x9cProgram officials shall ensure users of the systems supporting their programs have a validated\nrequirement (need to know) and an appropriate security clearance to access their systems.\xe2\x80\x9d\n\nNIST Special Publication 800-12, An Introduction to Computer Security, states, \xe2\x80\x9cFrom time to time, it is\nnecessary to review user account management on a system. Within the area of user access issues, such reviews\nmay examine the levels of access each individual has, conformity with the concept of least privilege, whether all\naccounts are still active, whether management authorizations are up-to-date, whether required training has been\ncompleted, and so forth.\xe2\x80\x9d\n\nOMB Circular A-130 requires federal agencies to incorporate personnel related security controls to ensure the\nscreening of individuals who are authorized to bypass significant technical and operational security controls of\nthe system commensurate with the risk and magnitude of harm they could cause. This is extremely important\nwhen employees leave an organization, as they may be in a position to cause severe harm to the organization\xe2\x80\x99s\nsystems after they leave if their system access is not promptly terminated. The Circular requires that agencies\nensure that information is protected commensurate with the risk and magnitude of the harm that would result\nfrom the loss, misuse, or unauthorized access to or modification of such information (\xe2\x80\x9cleast privilege\xe2\x80\x9d).\n\nIn the Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST SP 800-\n14, Section 3.12), NIST recommends that organizations base access control policy on the principle of least\nprivilege, which states that users should be granted access only to the resources they need to perform their\nofficial functions.\n\nDue to limited resources, management has not established formal policies and procedures for the periodic review\nof CFO Vision user access lists. Additionally, the Department is still in the process of developing procedures\nrelated to CFO Vision, including the processes related to user account management.\n\nBy not performing a periodic review of user accounts to ensure that all access levels are appropriate for a given\nuser\xe2\x80\x99s job description and to verify that all user accounts belong to current employees, the Department increases\nthe risk that employees may have unnecessary access privileges to the system. This access increases the risk of\nintentional or inadvertent alteration of the integrity of the application.\n\nFurthermore, should a separated employee\xe2\x80\x99s CFO Vision user account not be timely removed, the separated\nemployee, with malicious intent, or another person with knowledge of this active user account, could use this\naccount to alter the integrity of the application data.\n\n\n\n\n                                                      19                                             (Continued)\n\x0c                                   DEPARTMENT OF THE TREASURY\n                                         FISCAL YEAR 2005\n                                           Management Letter Report\n                                              November 11, 2005\n\n\n\nRecommendations\n\nWe recommend that the CIO take steps to establish formal policies and procedures regarding user administration\nsurrounding the CFO Vision application. We also recommend that the CIO:\n\n1.    Develop and implement policies and procedures requiring periodic review of CFO Vision access lists to\n      determine whether logical user access is current, consistent with job responsibilities, and in accordance\n      with the principle of least privilege.\n\n2.    Develop and implement policies and procedures to promptly notify the application administrators of the\n      termination or transfer of personnel with CFO Vision access.\n\nManagement Response\n\nRecommendation #1: Treasury is implementing a new version of CFO Vision, a COTS product, during fiscal\nyear 2006. This version will be a web-based system and available to all Treasury bureaus through the Treasury\nIntranet. With the implementation of this version, Treasury will follow the procedures implemented for other\napplications maintained by the Office of the DCFO under the umbrella Financial Analysis and Reporting System\n(FARS). This includes a structured process for granting new user access and an annual recertification of all\nsystem users. These existing procedures require new users to take the Department\xe2\x80\x99s systems security training and\nreview the system Rules of Behavior.\n\nRecommendation #2: As part of the implementation of the new release, the systems team will evaluate the\nfeasibility of linking the CFO Vision user file with the LDAP, which maintains the inventory of authorized users\nto the Treasury network. As employees leave the Department, they are removed from the LDAP and will not be\nable to access the Treasury network. This will eliminate the potential for former users accessing CFO Vision.\n\nCanceling user authorization of employees who no longer require access to the system is much more difficult to\ncontrol. This relies on the user\xe2\x80\x99s manager to notify the DCFO\xe2\x80\x99s Office to remove the access rights. We will catch\nthese changes as part of the annual user recertification that will be implemented for the new version of CFO\nVision.\n\nWe anticipate implementing some of these changes after the new version is installed, stabilized, and rolled out to\nthe bureaus. New user access will be granted in accordance with existing FARS new user procedures.\n\n\n\n\n                                                       20                                            (Continued)\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           FISCAL YEAR 2005\n                                            Management Letter Report\n                                                November 11, 2005\n\n\n\n05-09: Financial Analysis and Reporting System (FARS) Access Controls Should be Strengthened.\n\nFinancial Analysis and Reporting System (FARS) access request forms could not be provided for three out of\nfive CFO Vision users selected for testing. The Department\xe2\x80\x99s management is not enforcing the completion of\nnew user access request forms for authorizing CFO Vision access.\n\nOMB Circular A-123 states that access to resources and records should be limited to authorized individuals, and\naccountability for the custody and use of resources should be assigned and maintained.\n\nOMB Circular A-123 further states that access controls should provide reasonable assurance that computer\nresources such as data files, application programs, and computer-related facilities and equipment are protected\nagainst unauthorized modification, disclosure, and loss. Such controls include logical controls, such as security\nsoftware programs designed to prevent or detect unauthorized access to sensitive files. Ineffective access controls\nincrease the risk of unauthorized changes to the data that may affect the data\xe2\x80\x99s reliability and increases the risk of\ndestruction or inappropriate disclosure of the data.\n\nGranting system access without evidence of supervisory authorization increases the risk of unauthorized\nindividuals gaining access to the Department\xe2\x80\x99s data.\n\nRecommendations\n\nWe recommend that the CIO reinforce, through training or an updated policy statement, a requirement for\nDepartment personnel to consistently utilize the FARS access request form to document management\nauthorization for access to the CFO Vision application.\n\nManagement Response\n\nTreasury concurs with this recommendation. CFO Vision is currently available only to users on the DO LAN, the\nonly users are in the Office of the DCFO, Office of Performance Budgeting, Office of Financial Management,\nthe financial statement auditors, and the FARS systems development team. While it was the practice to have\nCFO Vision users complete a new user access form, this practice was not consistently followed. With the\nscheduled upgrade of CFO Vision to a web-based application, it will become available to Treasury bureaus as\nwell. As a result, the existing FARS new user access process will be adhered to by all new CFO Vision users. All\nnew users will be required to complete a new user access request form that is signed by their organization\xe2\x80\x99s\nResponsible Official, complete the Department\xe2\x80\x99s systems security awareness training, and complete the FARS\nRules of Behavior.\n\nCFO Vision currently has two systems administrators with responsibility for administering the system. One has\nhad this responsibility since the startup of the system in 1999 and the other has been an administrator since 2003.\nAs is the case for other CFO Vision users, new user access forms were not required until procedures were revised\nwithin the past year. In addition, since there are only two administrators, who worked closely with the DCFO\xe2\x80\x99s\nOffice of Financial Systems Integration, no annual recertification was performed. As part of the implementation\nof the new version of CFO Vision in 2006, we will implement the access procedures currently followed for all\nother FARS applications, as described above.\n\n\n\n                                                         21                                              (Continued)\n\x0c                                    DEPARTMENT OF THE TREASURY\n                                          FISCAL YEAR 2005\n                                            Management Letter Report\n                                               November 11, 2005\n\n\n\n05-10:   Backup Tapes for the Treasury Information Executive Repository (TIER) System and CFO Vision\n         Production Servers Should Be Protected.\n\nThe backup tapes for the Treasury Information Executive Repository and CFO Vision production servers are\nstored in the cage with the server within the Treasury data center. Additionally, the backup tapes are not stored in\na protective case prior to being transported to the off-site location.\n\nFISMA requires agencies to provide information security protections commensurate with the risk and magnitude\nof the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation collected or maintained by or on behalf of the agency. FISMA further requires Federal agencies to\nfollow information security guidance issued by the NIST.\n\nAlso, in the Generally Accepted Principles and Practices for Securing Information Technology Systems (Section\n3.5.1), the NIST SP 800-14 states that backups should be stored securely and that measures should provide\nphysical and environmental protection.\n\nFurther, OMB Circular A-130 states that agencies shall maintain disaster recovery and continuity of operations\nplans for information technology installations. To ensure continuity of operations during an extended outage of\nthe computer system, backups of computer system data must be performed and stored off-site.\n\nManagement has not made it a priority to see that backup tapes are stored in protective cases. In the event that the\ntapes located in the data center were damaged within the data center or during transport to the off-site storage\nfacility, Treasury would be forced to rely on older tapes and have to expend additional resources reconstructing\nthe information lost on the daily and weekly tapes.\n\nRecommendations\n\nWe recommend that the CIO develop and implement policies to require storage of these backup tapes in fireproof\nboxes so that they will be protected in the event of a disaster.\n\nManagement Response\n\nTreasury has identified alternative back-up service approaches and their relative funding requirements. However,\nfunding for a formal off-site storage service is currently unfunded. The Department will review its options for\nimplementing this recommendation.\n\n\n\n\n                                                        22                                             (Continued)\n\x0c                                    DEPARTMENT OF THE TREASURY\n                                          FISCAL YEAR 2005\n                                           Management Letter Report\n                                               November 11, 2005\n\n\n\n05-11: Formal Continuity of Operations Plan and Disaster Recovery Procedures for TIER and CFO Vision\n       Should be Established.\n\nThere is no formal continuity of operations plan (COOP) and disaster recovery procedure (DRP) in place for\nTIER and CFO Vision. NIST Special Publication 800-12, An Introduction to Computer Security: The NIST\nHandbook (Chapter 11), states:\n\n\xe2\x80\x9cContingency planning directly supports an organization\xe2\x80\x99s goal of continued operations. Organizations practice\ncontingency planning because it makes good business sense. To avert potential contingencies and disasters or\nminimize the damage they cause organizations can take steps early to control the event. Generally called\ncontingency planning, this activity is closely related to incident handling, which primarily addresses malicious\ntechnical threats such as hackers and viruses. Contingency planning involves more than planning for a move off\nsite after a disaster destroys a data center. It also addresses how to keep an organization\xe2\x80\x99s critical functions\noperating in the event of disruptions, both large and small. This broader perspective on contingency planning is\nbased on the distribution of computer support throughout an organization.\xe2\x80\x9d\n\nOMB Circular A-130 states that a contingency plan must be developed, documented, and tested to assure that\nusers of the system can continue to perform essential functions in the event the information technology support\nfor their application is interrupted. The plan should also be consistent with the agency-wide disaster/recovery\nplan.\n\nOMB Circular A-130 further guides that \xe2\x80\x9cAgencies shall establish policies and assign responsibilities to assure\nthat appropriate contingency plans are developed and maintained by end users of information technology\napplications. The intent of such plans is to assure that users continue to perform essential functions in the event\ntheir information technology support is interrupted. Such plans should be consistent with disaster recovery and\ncontinuity of operations plan maintained by the installation at which the application is processed.\xe2\x80\x9d\n\nManagement informed us that due to funding constraints, both the COOP and DRP have been unfunded for TIER\nand CFO Vision. Without corporate business continuity and disaster recovery plans, if a natural disaster caused\nthe system to fail, the Department\xe2\x80\x99s ability to restore operations and continue its business operations may be\nsignificantly delayed.\n\nRecommendations\n\nWe recommend that the CIO develop, implement, and test a continuity of operations plan and a disaster recovery\nplan for the TIER and CFO Vision applications. Additionally, this plan should be tested annually upon\nimplementation.\n\nManagement Response\n\nTo achieve economy of scale, the CIO\xe2\x80\x99s Office intends to review disaster recovery and COOP planning for the\nsuite of applications managed at the Qwest CyberCenter. Though the Department agrees with the\nrecommendation, we must prepare a justification to obtain the required funding through the CIO\xe2\x80\x99s investment\nmanagement program.\n\n\n\n                                                     23\n\x0c                                                                                           Exhibit I\n\n                             DEPARTMENT OF THE TREASURY\n                                      FISCAL YEAR 2005\n                                    Management Letter Report\n                         Status of Prior Year Management Letter Comments\n\n\n        Prior Year Recommendations                                  Current Year Status\n\n I    Financial Reporting Standards for Department     This comment has not been corrected and is\n      Component Entities Should be Consistent          repeated in the current year as comment\n                                                       number 05-02.\nII    Analysis of Financial Reports at         the     This comment has been resolved and closed.\n      Department Level Should be Improved\n\nIII   Fund Balance with Treasury Reconciliations       This comment has been resolved and closed.\n      Should be Prepared on a Consistent Basis\nIV    The Exchange Stabilization Fund Budgetary        This comment has not been corrected and is\n      Accounting Methodology Should be Clarified       repeated in the current year as comment\n                                                       number 05-03.\nV     Segregation of Duties Related to TIER Should     This comment has been resolved and closed.\n      be Strengthened\nVI    CFO Vision Access Controls Should be             This comment has been resolved and closed.\n      Strengthened\nVII   TIER Access Controls Should be Strengthened      This comment has been resolved and closed.\n\n\n\n\n                                             24\n\x0c'